A CMMC compliance assessment is the formal audit that confirms a defense contractor’s cybersecurity is adequate to handle sensitive Department of Defense information. For companies in the defense industrial base, passing is a prerequisite for winning or keeping contracts that involve Controlled Unclassified Information (CUI).
The CMMC framework replaced self-attestation with verified evidence. The old “trust me” model is no longer accepted for contracts involving CUI. A contractor must now produce objective quality evidence that each required control is in place and functioning.
What a CMMC assessment involves
The assessment is structured around four components.
| Component | Description | What it means in practice |
|---|---|---|
| Scope | Identifies every asset, person, and process that handles CUI | The contractor must define the authorization boundary being audited |
| Evidence | Documentation, configurations, and demonstrations that prove controls are implemented | Organized proof is required for every security requirement |
| Interviews | Assessors speak with staff to confirm processes are followed as documented | Team members must be able to describe their security responsibilities |
| Scoring | Point-based review against the applicable control set (110 controls for Level 2) | A specific score threshold is required to pass; limited gaps can be closed through a POA&M |
The three levels of CMMC 2.0
CMMC is tiered so that the security burden scales with the sensitivity of the information involved.
Level 1: Foundational
Level 1 applies to companies that handle Federal Contract Information (FCI) but not CUI. FCI is information generated for a contract that is not intended for public release but is not as sensitive as CUI.
The assessment is an annual self-assessment against the 17 basic controls in FAR 52.204-21. A senior company official must formally affirm compliance and upload the score into the DoD’s Supplier Performance Risk System (SPRS).
Level 2: Advanced
Level 2 applies to the majority of defense contractors because it is required when a company creates, stores, or transmits CUI. The 110 controls in NIST SP 800-171 apply in full.
The significant change at Level 2 is the shift from self-attestation to independent verification. The audit is conducted by a CMMC Third-Party Assessment Organization (C3PAO). Certified assessors verify that every control is implemented, operating correctly, and supported by objective evidence. The assessment cycle is triennial.
In narrow cases, a contract involving CUI may require only an annual self-assessment. Contractors should assume a third-party audit is required unless the contract explicitly states otherwise. For a detailed view of the evidence a C3PAO typically requests, see CMMC Level 2 email controls and what your C3PAO will ask.
Level 3: Expert
Level 3 is reserved for companies working on the most critical DoD programs, where the compromise of CUI could cause severe damage to national security. It requires all 110 controls from NIST SP 800-171 plus an additional set of enhanced controls from NIST SP 800-172. The additional controls are designed to defend against Advanced Persistent Threats.
The Level 3 audit is conducted directly by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) rather than a C3PAO. The cycle is also triennial.
The assessment process
Preparation is a project, not an event. Most contractors should plan for a 6 to 18 month timeline from initial gap analysis to certification, depending on the maturity of their existing security program.
Phase 1: Scoping and gap analysis
The first and most important phase is scoping. The contractor must identify every person, system, and process that touches CUI. Together these define the authorization boundary: everything inside the boundary is subject to audit, everything outside is not.
A poorly defined scope is one of the fastest paths to assessment failure. If the scope is too narrow, an assessor will find CUI in unscoped systems and the audit will expand. If the scope is too broad, the full 110 controls must apply across the entire organization, which drives cost and complexity up substantially.
CUI data flow diagrams are the practical tool. They answer four questions:
- Where does CUI originate?
- Where is it stored?
- Who has access to it?
- How does it leave the environment?
With the boundary defined, the gap analysis compares current security posture against the 110 required controls. The output is a prioritized list of what is in place, what is partial, and what needs to be built.
Phase 2: Remediation and evidence collection
Remediation closes the gaps identified in the analysis. This is the hands-on work of deploying tools, writing policies, and reconfiguring systems to meet each control.
In parallel, the contractor must begin gathering objective quality evidence. For every control claimed, the assessor will expect proof that the control is not just documented but operating as intended. Evidence falls into a few categories:
- Policy and procedure documents
- Configuration screenshots and exports
- System logs and monitoring reports
- Training records
This phase is the most time-consuming part of the process. Every one of the 110 controls needs organized, verifiable evidence that an assessor can review.
Phase 3: Engaging a C3PAO
C3PAOs are listed in the official CyberAB Marketplace and are the only organizations authorized to conduct a Level 2 CMMC assessment. Demand currently exceeds C3PAO capacity significantly, which means lead times are long and getting longer. Contractors who delay engaging an assessor will find themselves at the back of the queue.
Phase 4: The assessment and post-assessment
The formal assessment typically takes several days. Assessors review evidence, interview team members, and may run technical tests to validate that controls are operating correctly.
A passing result produces a three-year certification. Minor gaps can be addressed through a Plan of Actions and Milestones (POA&M) with a typical window of up to 180 days to remediate. If the contractor cannot close the gaps in that window, the assessment must be repeated in full.
Pre-assessment preparation
A defensible CMMC posture comes from careful preparation, not last-minute sprinting. The following sequence is the most efficient path.
Define the CUI data boundary
Before any control is implemented, identify every person, device, application, and physical space that interacts with CUI. Build CUI data flow diagrams that document origin, storage, access, and exit points.
The objective is a defensible, isolated CUI enclave. The smaller and more clearly scoped the enclave, the simpler the assessment becomes.
Develop the key documents
When an assessment begins, the first request is almost always for documentation. Two documents are foundational:
- System Security Plan (SSP). The master description of how the contractor satisfies each of the 110 NIST SP 800-171 controls. A weak SSP states “we use multi-factor authentication.” A strong SSP states which product enforces MFA, where it is enforced, who manages the configuration, and under which policy.
- Plan of Actions and Milestones (POA&M). A register of controls that are not yet fully met, the remediation tasks, the responsible owner, and the deadline. An empty POA&M is a red flag, because it usually means the contractor has not performed an honest self-assessment.
Both documents must be maintained as the environment evolves.
Map and organize evidence
For every control in the SSP, there must be tangible proof. Evidence generally falls into three categories: documentation, configuration artifacts, and logs or records.
Manually gathering evidence across a dozen disconnected systems is the most common source of preparation delay. A unified platform that generates audit-ready artifacts for access control, encryption, email security, and file handling removes most of the manual collection work.
Test the incident response plan
Incident Response is one of the control families with the highest assessment failure rate, because a written plan is not the same as a tested plan. A tabletop exercise, run with the designated incident response team, is the only way to confirm the plan can actually be executed under pressure.
Document the exercise: participants, decisions, actions taken, and after-action lessons. That after-action report becomes evidence that the control is operationally in place, not just on paper. For the specific reporting timeline, see DFARS 72-hour cyber incident reporting.
Where assessments most commonly fail
Three failure patterns account for the majority of CMMC Level 2 issues.
Poorly defined scope
When the authorization boundary is not fully mapped, the assessor finds CUI in systems that were assumed to be out of scope. The audit expands, new gaps emerge, and the assessment stalls.
Two defenses apply. First, map the data flow exhaustively so the boundary is defensible. Second, minimize the CUI footprint by consolidating CUI-related work into a dedicated, compliant enclave. A pre-scoped compliant platform dramatically reduces the risk that CUI leaks into unscoped systems.
A paper-only SSP
A generic template SSP that does not describe the actual environment fails the first thirty minutes of any assessment. The SSP must be specific about which tool implements each control, how it is configured, and who is responsible for maintaining it. It must also be updated as the environment changes.
Missing objective evidence
The phrase “if you cannot show me, you did not do it” is the operational reality of a CMMC audit. Common evidence gaps include access control logs, MFA enforcement proof across all required accounts, and documentation of actual incident response exercises. The defense is to centralize both controls and evidence so that artifacts can be produced on demand rather than assembled under time pressure.
Common questions about the CMMC assessment
How long does a CMMC Level 2 certification last?
The certification is valid for three years. Annual self-assessments are required in the interim, with a senior official affirming continued compliance in the DoD’s SPRS system. The certification comes from the triennial audit; annual affirmation keeps it active.
What happens if the assessment is failed?
A failed assessment prevents certification and therefore blocks the contractor from DoD contracts that require the target level. The C3PAO provides a detailed report of failed controls. The contractor typically has a window of up to 180 days to remediate and re-submit evidence. If remediation cannot be completed within that window, the process restarts with a new, fully-paid assessment. Getting the assessment right the first time is by far the most cost-effective strategy.
Is commercial Microsoft 365 or Google Workspace sufficient for CMMC?
For contractors handling CUI, no. Standard commercial Microsoft 365 and Google Workspace accounts typically fail DFARS 252.204-7012 and ITAR requirements. The most common gaps are data residency (no guarantee that data stays within the U.S.), personnel screening (support staff may not be U.S. persons), and encryption standards (commercial services are not operated within a FIPS 140-validated boundary). Government-grade offerings such as Microsoft 365 GCC High address some of these gaps but require a long and complex migration. For a direct comparison, see IRONKEEP vs GCC High and how safe Google Drive is for CUI.
What is CUI, and how does it affect which level applies?
CUI is Controlled Unclassified Information, the federal label for sensitive but unclassified data that is protected under law, regulation, or government-wide policy. Contractors that handle CUI are subject to CMMC Level 2. Contractors that only handle FCI fall under Level 1. For the underlying definition, see what is Controlled Unclassified Information.
Related reading
Lock in founding member pricing
Sign up to get the free CMMC Level 2 readiness checklist and be first in line for founding member pricing when IRONKEEP launches.
Founding member pricing goes away at launch.